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L INTRODUCTION 

Article XI-A ofthe Pennsylvania Election Code, 25 P.S, §§ 3031.1 etseq. (the 
“Code”), authorizes the use of electronic voting systems. Section 1105-A ofthe Code, 25 
P.S. § 3031.5(a), allows any ten or more qualified electors of Pennsylvania to request a 
reexamination of an electronic voting system certified by the Secretary ofthe 
Commonwealth (“Secretary’*)- On July 17,2019, the Acting Secretary ofthe 
Commonwealfii (“Acting Secretary”) received a Petition to Reexamine the ExpressVote XL 
(the “Petition”). A copy of that Petition is attached hereto as Appendix A. 

The ExpressVote XL was initially examined and certified as part of the ES&S EVS 
6021 electronic voting system to both federal and state voting system standards by the 
Election Assistance Commission (“EAC”) on November 12,2018 and by the Secretary of 
the Commonwealth on November 30,2018. 

The Petition sets forth ten claims for why the Acting Secretary should de-certify the 
ExpressVote XL (XL). After a thorough and considered review of the Petition, the Acting 
Secretary has determined that claims three through seven, nine, and ten amount to purely 
legal arguments which do not apply to reexamination or certification of an electronic voting 
system. With respect to claims one, two, and eight, the Acting Secretary, in consultation 
with the Department of State’s expert voting system examiner, ree xamine d the XL and 
concluded that the XL meets the requirements of Section 1107-A of the Pennsylvania 
Election Code, 25 P.S. § 3031.7, and can be safely used to conduct elections in the 
Commonwealth. 

To satisfy the Secretary’s statutory obligation to reexamine the XL system based on 
claims one, two, and eight in the Petition, the Pennsylvania Department of State 
(“Department”) entered into an agreement with ejqjert professional consultant SLI 
Compliance (“SLI”) to conduct a focused reexamination of the XL. Jesse Peterson, Security 
Specialist, and Mike Santos, Senior Test Manager, served as the examiners (“Examiners”). 
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The ofF-sitc reexamination was conducted at the laboratory of SLI Compliance located in 
Wheat Ridge, Colorado. The Department was represented by Sindhu Ramachandran, 
Voting System Analyst, for the reexamination on August 7 and 8,2019. The Examiners 
then provided findings from the examination, and the test results and conclusion have been 
included in further sections of this report. 


n. THE EXPRESSVOTE XL VOTING SYSTEM 
ExpressVote XL 

Express Vote XL is a polling place voting device that provides touch screen vote 
capture which incorporates printing of a voter’s selections as a paper voter-verifiable record 
and tabulation scanning into a single unit The system uses a touch-operated screen and/or 
assistive technology to c^ture a voter’s choices. The integrated thermal printer prints the 
voter’s choices on a voter-verifiable paper vote summary record and the syst«n scans and 
saves an image of the printed vote summary record. The vote summary record is the voter- 
verifiable paper record with plain text words of the votes to be cast, which, once cast, will 
be retained as the official vote record and used for audits and/or recounts. 

The software/firmware version of ExpressVote XL certified as part of the EVS 6021 
system is 1.0.1.0 and the hardware version is 1.0. 

Test Materials 

Test support materials utilized during the examination included: 

• Two ExpressVote XL devices 

■ CFAST cards for both ExpressVote XL devices 

■ Thermal receipt pap^ for the Expressvote XL 

■ Activation card stock for processing vote summary records on the ExpressVote XL 

• CFAST Cards 

■ USB thumb drives 
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m. REEXAMINATION APPROACH 

A. Approach Sammary 

The reexamination focused on the alleged violations of Sections 1107-A(1) and (12) 
of the Pennsylvania Election Code, 25 P.S. §§• 3031.7(1) & (12), relating to vote record 
secrecy and security, set forth in items one, two, and eight of the petition. The Examiner 
evaluated the petition and relevant system documentation to develop test protocols for the 
examination. All hardware necessary to perform the reexamination was supplied by ES&S. 
Software and firmware for the EVS 6021 voting system was obtained firom the Voting 
System Test Lab (“VSTL”) that performed the EAC certification test campaign. The 
Examiner installed the firmware using the appropriate media and process for installation. 

The test protocols sepamted the requirements for the reexamination into three main 
areas of test execution: (1) Security Analysis and Evaluation; (2) Functional Testing; and (3) 
Documentation Review. 

1. Security Analysis and Evaluation 

The Examiners performed security analysis of the XL, with special consideration to 
the items set forth in the Petition. The Examiners’ security specialist reviewed the system to 
evaluate the system’s security protocols. In order to gather details for the functional test 
execution, SLI included a review of internal security, functional and architectural diagrams, 
software specification, as well as ExpressVote XL hardware schematic documentation. The 
analysis was done to reexamine the sj^tan architecture and operations and to plan a 
comprehensive approach to analyze and evaluate each allegation. The Examiners also 
utilized the vulnerability assessment performed during the initial examination of the EVS 


4 


6021 voting system. This evaluation was used during test planning to identify the specific 
test cases to be executed during the functional testing and documentation review phases. 

2. Functional Testing 

The functional testing phase involved SLI personnel executing test cases identified 
during the security analysis and evaluation. This phase provided a means to assess the 
security and functional pre^erties of the voting system under examination to ascertain 
whether they provide accq>table security procedures to prevent tampering with or 
substitution of vote summary records, as required by the Pennsylvania Election Code at 25 
P.S. § 3031.7(12). The Examiner also used the functional testing to evaluate compliance of 
the system to the Pennsylvania Election Code requirement at 25 P.S.§ 3031.7(1) to ascertain 
whether the sj^tem provides for processes and procedures to ma intain the secrecy of a 
voter’s ballot. 

3. Documentation Review 

The documentation review phase consisted of reviewing the ES&S EVS 6021 voting 
system documentation to verify that appropriate processes and procedures are in place to 
provide acceptable security and privacy as required by 25 P.S.§§ 3031.7(1) and (12). 

IV. Examination Results and Discussion 

A. Examination Results and Discussion regarding Allegation #1 

The Petition’s allegation number one alleges that the XL violates Section 1107-A(12) of 
the Pennsylvania Election Code, 25 P.S. § 3031.7(12), which requires that a voting system 
“provides acceptable ballot security procedures and impoxmdment of ballots to prevent 
tampering with or substitution of any ballots or ballot cards,” because it does not provide 
acc^table procedures to prevent tampering. 

As detailed below, The Examiner evaluated these claims and determined through 
security analysis and evaluation, functional testing, and documentation review that the XL 
does not violate Section 1107-A(12) of the Pennsylvania Election Code because it has 
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protocols and mechanisms to provide for acceptable security procedures to prevent 
tampering with or substitution of the vote summary records. The results of the Examiner’s 
documentation review and testing are summarized in the following paragraphs of this 
section. 

1- Security Analysis and Evaluation 

The security specialist reviewed the internal security, functional and architectural 
diagrams, software specifications, as well as the XL hardware schematic documentation. 
The Examiners also utilized the vulnerability assessment performed during the initial 
examination of the EVS 6021 voting system. The Examiners gathered information about the 
system security protocols in place to prevent undetectable malicious manipulation of the 
XL, as well as information about the programmatic and physical access controls in place to 
prevent tampering. The Examiners then used the information gathered during this evaluation 
to identify specific test cases to be executed during the functional testing and documentation 
review phases. 

2. Functional Testing 

The XL was set up following all the physical security measures described in the 
relevant system documentation. The Examiners reviewed and tested each of the physical 
security measures in place, which demonstrated that different system access points and the 
CFAST cards could not be reached without proper keys and tools. The Examiners then 
performed a hash code validation successfully, confirming tiiat the installed image matched 
the certified image. 

The Examiners installed the trusted build and loaded a test general election on the 
XL devices used for the testing effort. The security specialist tried to penetrate the system 
using the system access points/ports and was unsuccessful. The Examiner also performed a 
hash code validation on the XL after the tests to confirm that the trusted build firmware was 
still present on the device. The Examiners confirmed that any modifications to the files on 
the CFAST cards would be identified as a mismatch during hash code validation and hence 


6 





any unauthorized changes would be detected. 


The Examiners demonstrated the XL voting process and reviewed the system 
schematics and software actions. The voting process was demonstrated as follows: the 
terminal is opened for voting and the voter inserts a blank activation card. The voter selects 
the candidate choices and then selects the “Print” button. The XL prints the voter’s choices 
on a paper vote summary record using the thermal printer. The vote summary record is then 
scaimed and presented to the voter via the front facing voter verification window. The voter 
reviews and verifies flie vote summary record and selects the “Cast” button. The system then 
saves and tabulates the votes and d^osits the printed vote s ummar y record into the 
collection bin without being re-scanned. Dimng the examination of the syst^a it was 
observed that the location of the print head, after the initial print, allows the vote summary 
record to pass to the collection bin without making contact with the print head agflj n during 
the vote summary record deposit process. 

The Examiners also carefully evaluated the voting process to identify any distinct 
cues during the printing process and observed that the printing process was audible and thus 
detectable. Hence, a successful attempt to activate the printer to print on the vote summary 
record after the voter verifies his or her selections would be heard. 

The Examinois also attempted to change the tabulation of the vote by modifying the 
bar code on the paper vote summary record after verification by the voter but were 
unsuccessful. Attempts were also made to insert and tabulate modified bar codes by the 
system and those attempts too were unsuccessful. 

3. Documentation Review 

The Examiners conducted documentation review to determine if there are acceptable 
seexuity processes in place to prevent unauthorized access or tampering and to determine if 
there are mechanisms in place to identify if any unauthorized or malicious acts have taken 
place. The system documentation cited multiple procedures in place to ensure that the 
security of the XL is maintained, including: warehouse seciuity for 
storage/maintenance/transportation, poll worker selection, poll woiher training, physical 
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security of the polling place environment, pthysical security of the device (keys, security 
screws, tape, other tamper resistant/evident items), USB security, bar code security, 
programmatic security of the XL, as well as system auditing. The Examiner reported that the 
system executables and bar codes have mechanisms in place to detect xmauthorized 
modification. Configuration of the paper vote summary record also allows the voter- 
verifiable text to be formatted with options to leave no blank lines between contest and 
selections, which prevents malicious software fix>m leaving out a voter’s selections and/or 
filling them in after a voter reviews their vote summary record, 

B. Examinatioii Results and Discussion regarding Allegation #2 

The Petition’s allegation number two alleges that the XL violates Section 1107-A(1) of 
the Pennsylvania Election Code, 25 P.S. § 3031.7(1), which requires that a voting system 
“provides for voting in absolute secrecy and prevents any person fi^om seeing or knowing for 
whom any voter, except one who has received or is receiving assistance as prescribed by law, has 
voted or is voting,” because it stores the voter verified paper records in chronological order. 

As detailed below, the Examiners evaluated these claims and determined through 
security analysis and evaluation, functional testing, and documentation review that the XL 
does not violate Section 1107-A(1) of the Pennsylvania Election Code because, when used 
in accordance with statutory and recommended procedures for maintaining proper chain of 
custody and canvassing votes, it provides for voting in “absolute secrecy,” with exception 
for voters who are receiving assistance. 

1. Security Analysis and Evaluation 

The security specialist reviewed the internal security, functional and architectural 
diagrams, software specifications, as well as the XL hardware schematic doc ume ntation, 

The Examiners also utilized the vulnerability assessment performed during the initial 
examination of the EVS 6021 voting system. The Examiners gathered information about the 
system security protocols and procedures in place to prevent and detect unauthorized access 
to the ballot bin and to maintain voter secrecy during the process of votin g and after the 
close of polls. The Examiners then used the information gathered during this evaluation to 
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identify specific test cases to be executed during the functional testing and documentation 
review phases. 

2. Functional Testint; 

The Examiners completed vote sessions and demonstrated the actions at close of 
polls by the poll worker. The Examiners concluded that in accordance with recommended 
procedures, once an election has been closed, a poll worker will not be handling the paper 
vote summary records which are sealed in the collection bins. The Examiners provided a 
recommendation suggesting that processes to randomize vote siimmaiy records should be 
performed at the county office in accordance with the Pennsylvania Election Code, which 
will be a required condition for use of this system. 

3. Documentation Review 

The Examiners concluded that system documentation identifies procedures 
recommended by the vendor during implementation and operation to prevent violation of 
vote record secrecy, including: physical security to prevent and/or detect unauthorized 
attempts to access the paper vote summary records, assi gnin g voters in a relatively equal 
distribution among multiple devices, as well as assigning multiple officials from different 
parties to handle vote record collection bins. In addition, vote record secrecy is maintained 
when statutory procedures for commingling ballots is conducted prior to canvass and 
storage by the county board of elections. 

C. Examination Results and Discussion regarding Allegation #8 

The Petition’s allegation numba: ci^t alleges that the XL violates Section 1107-A(1) of 
die Pennsylvania Election Code, 25 P.S. § 3031.7(1), which requires that a voting system 
“provides for voting in absolute secrecy and prevents any p^son from seeing or knowing for 
whom any voter, except one who has received or is receiving assistance as presaibcd by law, has 
voted or is voting,” because it requires a voter to request assistance from a poll worker during the 
process of “spoiling” the paper vote summary record when the voter made an error during the 
process of voting. 
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As detailed below, the Examiners evaluated these claims and determined through security 
analysis and evaluation, functional testing, and documentation review that the XL does not 
violate Section 1107-A(1) of the P«insylvania Election Code because, when used in the context 
of proper statutory and recomm^ded procedures for polling place setup and poll worker 
training, it provides for voting in “absolute secrecy,” with exception for voters who are receiving 
assistance in the voting booth. 

1. Securih' Analysis and Evaluation 

The security specialist reviewed die internal security, functional and architectural 
diagrams, software specifications, as well as the XL hardware schematic documentation. 

The Examiners also utilized the vulnerability assessment performed during the initial 
examination of the EVS 6021 voting system. The Examiners gath^ed information about the 
system security protocols and procedures in place to prevent unauthorized access to the 
paper vote summary records and to preclude imauthorized access to the system 
administration screen used during the process of assisting voters who need to spoil their 
ballots before they are cast The Examiners also evaluated what, if any, malicious activity 
could be accomplished if an unauthorized person or persons learned the passcode used to 
access the system administration screen. The Examiners then used the information gathered 
during this evaluation to identify specific test cases to be executed during the functional 
testing and documentation review phases. 

2. Functional Testinu 

To test this Petition item, the Examiners demonstrated the process of spoiling a vote 
summaiy record and concluded that appropriate voter and poll worker training and 
instructions on tiie screen can ensure vote record secrecy. This will also be made a condition 
of this recertification report. The allegation about the password compromise was also 
reviewed and the Examiners determined that a compromise of all the characters of the 
supervisor password would be very diflRcult, and an audible chime sounds after three failed 
attempts to enter the password. The Examiners noted that even if the password was known 
to an unauthorized person, they would not be able to access any functions related to voting 
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or tabulation and any actions performed by the session user are recoverable. The Examiners 
also noted that the position of the poll worker during the process doesn’t lend itself to easily 
viewing the voter’s choices, and also pointed out tiiat since the voter has decided to spoil the 
vote summary record it is not his/her final intended vote selection. 

3. Documaitation Review 

The Examiners concluded that the system docximentation identifies multiple 
procedures to protect voter privacy and prevent the compromise of the supervisor password. 
Please refer to Section V, Additional Conditions for Certification, for details regarding the 
required procedures. 

V. Additional Conditions for Certification 

Given the results of the reexamination that occurred in August 2019, and the findings 
and recommendations of the Examiners, the Acting Secretary of the Commonwealth 
maintains the certification of the XL subject to the following additional conditions: 

A. Jurisdictions selecting the XL must implement proper poll closing and vote record 
transportation procedures to ensure that collection bins containing paper vote summary records 
are sealed and transported with propw chain of custody to the county office. Poll worker training 
must include the details of the procediires to ensure tiiat collection bins r emain sealed until 
delivered to the county office. Collection bins must be opened in the presence of board of 
election members and must be commingled before canvass and storage, in a manner consistait 
with the procedure outlined for the canvassing of absentee ballots under Section 1308(e) of the 
Election Code, 25 P.S. § 3146.8(e). 

B. Jurisdictions implementing the XL must ensure that vote summary recoid 
instructions include ^ecific voter and poll worker instmetions added on the screen detailing 
spoiling procedures and cues to protect voter privacy. In addition, poll worker training must; 

• Emphasize the need to obscure any view of the paper vote summary record during 
the process of spoiling the record; 
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• Educate poll workers on the proper steps to be taken when they respond to a voter 
request for spoUing the vote summary record to ensure that the secrecy of the 
spoiled record is maintained. These steps include ensuring that the voter infftn dg 
to spoil the record, has read the instructions on the screen and has been infonned 
by the poll worker how to prevent inadvertent view of the vote summary record 
before the poll worker enters inside the privacy curtain; 

VI. Conclusion 

As a result of the reexamination, and after consultation with the Department’s staff, 
cotonscl and the Examiners, the Acting Secretary of the Commonwealth concludes that the 
ExpressVote XL certified as part of the EVS 6021 voting system can be safely used by 
voters at elections, as provided in the Pennsylvania Election Code, and meets all of the 
requirements set forth in the Election Code, provided the votin g system is imnlcmcnted 
Wpder th? Ppnditipns Usted in Section IV of the initial certification repor t released on 

Wpveiwber 30t 2018 and the conditions listed in Section V of thi s report . Accordingly, 
the Acting Secretary maintains the certification of EVS 6021 - ExpressVote XL for use in 
this Commonwealth. 
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Appendix A 


FREESPEECH 

people 


National 

Election 

Defense 

Coalition 


Citizens f or y 
Better 
Eiections 


July 16, 2019 


Honorable Kathy Boockvar 

Acting Secretary of the Commonwealth 

Pennsylvania Department of State 

Bureau of Commissions, Elections and Legislation 

302 North Office Building, 401 North Street 

Harrisburg, PA 17120 


Dear Secretary Boockvar, 

Pursuant to 25 P.S. § 3031.5, on behalf of the undersigned electors of the Commonwealth of 
Pennsylvania, we hereby request a re-examination of the ES&S ExpressVote XL electronic 
voting machine. We enclose at least ten (10) certifications of duly registered electors in the 
Commonwealth of Pennsylvania who seek this re-examination. We have enclosed a check for 
$450 payable to the Treasurer of the Commonwealth of Pennsylvania. 

As you know, “[t]he Secretary’s duty to re-examine the machines upon proper request is 
mandatory.” Banfield v. Aichele, 51 A.3d 300, 314 (Commw. Ct. Perm. 2012), aff’dsub nom. 
Banfieldv. Cortes, 110A.3d 155 (2015). 

We have attached a list of deficiencies in the ExpressVote XL which require attention during re¬ 
examination. We also note that the ES«S:S ExpressVote H W 2.1 used as a tabulator shares many 
of the same deficiencies as the ExpressVote XL. 

We respectfully request that the Secretary of the Commonwealth re-examine the ExpressVote XL 
electronic voting machine and issue a report relating to the functionality of the system. We 
request that this re-examination be conducted expeditiously because several counties in the 
Commonwealth have chosen or are considering the ExpressVote XL, and all comities must act 
quickly to comply with the Department of State directive to select new voter-verifiable paper 
record voting systems no later than December 31,2019. 



If the Secretary of the Commonwealth determines that the attached deficiencies are compelling 
evidence to preemptively decertify the ExpressVote XL, we would withdraw our petition for re¬ 
examination. 


Respectfully submitted, 


Ronald A. Fein, Legal Director 
John C. Bonifaz, President 
Free Speech For People 
1320 Centre St. #405 
NcAvton, MA 02459 
(617) 244-0234 

rfein@fi-eespeechforpeople.org 

jbonifaz@freespeechforpeople.org 


Susan Greenhalgh 

Vice President of Policy and Program 
National Election Defense Coalition 


Kevin Skoglund 
Chief Technologi st 
Citizens for Better Elections, 

A member of the Protect Our Vote Philly Coalition 


Petition Pages 


200 signatures by duly registered electors 
in the Commonwealth of Pennsylvania 


From the counties: 

Philadelphia 

Allegheny 

Montgomery 

Bucks 

Delaware 

Westmoreland 

Northampton 


Attachment: ES&S Express Vote XL Deficiencies 

We seek re-examination of the ES&S Express Vote XL voting machine on these grounds. 

1. Tampering with Ballot Cards 

The Express Vote XL violates § 1107-A, 25 P.S. § 3031.7 (12), which requires that a 
voting system; 

‘Trovides acceptable ballot security procedures and impoundment of 
ballots to prevent tampering with or substitution of any ballots or ballot 
eards.” 

Since the Pennsylvania Certification of ES&S EVS 6.0.2.1, security researchers 
discovered' that the Express Vote XL exposes a ballot card cast by a voter to an internal 
printer prior to tabulation and impoundment. The internal printer is controlled exclusively 
by software which has the ability to tamper with the content of the ballot card. A 
malfunctioning or manipulated Express Vote XL could add, modify, or invalidate votes 
after the voter has viewed, confirmed, and cast her ballot. It could change election 
outcomes without detection. This is a very high impact defect which affects the integrity 
and auditability of the voting system. 

This defect violates the principle of software independence: “A voting system is 
software-independent if an undetected change or error in its software cannot cause an 
undetectable change or error in an election outcome.”^ Software independence will be 
WSG 2.0 Guideline 9.1 and is recognized as necessary for effective auditing. It is a 
“crucial” requirement for evidence-based elections as defined by Professors Philip Stark 
and David Wagner: “All three components are crucial. The risk-limiting audit relies on 
the integrity of the audit trail, which was created by the software-independent voting 
system (the voters themselves, in the case of paper ballots) and checked for integrity by 


' References available at: 

https://freedom-to-tinker.eom/2018/10/16/design-flaw-in-dominion-imagecast-evolution-voting-machine 

https://freedom-to-tinker.eom/2018/10/22/an-unverifiability-principle-for-voting-machines 

https://securiosa.coni/posts/how_the_expressvote_xI_could_alter_ballots.html 

https://securiosa.com/posts/how_expre.ssvote_barcodes_could_be_modified.html 

2 “On the Notion of Software-Independence in Voting Systems,” Ronald Rivest and John Wack, 
Philosophical Transactions of The Royal Society, August 6, 2008, Page 1, available at https:// 
people.csail.mit.edu/rivest/RivestWack-OnTheNotionOfSoftwareIndependencelnVotingSystems.pdf 
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the compliance audit.Acceptable ballot security procedures to prevent tampering must 
include ensuring auditability and enabling evidence-based elections. 


It is common sense that a voting machine should not have the ability to change votes after 
the voter has confirmed and cast her ballot. The same reasoning is evident and explicitly 
stated in § 1222, 25 P.S. § 3062 (a), “No person while handling the ballots shall have in 
his hand any pencil, pen, stamp or other means of marking or spoiling any ballot.” 
Acceptable ballot security procedures to prevent tampering must include a similar 
restrietion on any machine while handling the ballots. 


2. Chronological Ballot Storage 

The Express Vote XL violates § 1107-A, 25 P.S. § 3031.7 (1), which requires that a voting 
system: 


“Provides for voting in absolute secrecy and prevents any person fi-om 
seeing or knowing for whom any voter, except one who has received or is 
receiving assistance as prescribed by law, has voted or is voting.” 

The ExpressVote XL ballot container stores ballot cards in chronological order. It allows 
any poll worker or election official who knows even limited details about the sequence of 
voters to violate the absolute secrecy of one or more voters. A voter’s ballot could be 
determined by referencing the order of voters in the poll book or on the poll list, by 
counting from the first or last ballot in the set, or by counting from another identifiable 
ballot, such as one with a known write-in vote. This is a significant defect. 
Chronologically ordered ballots fail to protect voters’ right to a secret ballot and enable 
information harvesting, vote buying and selling, and voter coercion. 

The Pennsylvania Department of State has long held the position that voting systems with 
chronologically ordered ballots violate absolute secrecy. Dr. Michael Shamos, statutory 
examiner for the Secretary of the Commonwealth from 1980 to 2010, testified to a U.S. 
Senate committee in 2007, “Even paper trail advocates recognize that scrolled paper trails 
make it easy, not just possible, to determine how every voter in a precinct voted. The first 
voter’s ballot is first on the tape; the last voter’s is last; and everyone else’s is sequential 
order in between. A simple comparison between the paper trail and the poll list gives 
away everyone’s vote, in violation of the Section 201 requirement of a secret ballot. Even 


3 “Evidence-Based Elections,” Philip Stark and David Wagner, IEEE Security and Privacy, May 8,2012, 
Page 2, available at https://www.stat.berkeley.edu/~stark/Preprints/evidenceVotel2.pdf 
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if only two percent of the vote is audited, it means that two percent of the voters are at 
risk of having their votes revealed. 

The “Conditions of Certification” for ES&S EVS 6.0.2.1 do not require any procedures to 
randomize the order of ballot cards or to otherwise protect ballot secrecy. Even if 
procedures had been required, the voting system caimot depend on procedures—which 
may not be consistently or correctly employed—to restore ballot secrecy. The voting 
system itself must provide it. 


3. Ballot Cards Colored by Party 

The Express Vote XL violates § 1109-A, 25 P.S. § 3031.9 (e): 

“In primary elections, the Secretary of the Commonwealth shall choose a 
color for each party eligible to have candidates on the ballot and a separate 
color for independent voters. The ballot cards or paper ballots and ballot 
pages shall be printed on card or paper stock of the color of the party of the 
voter eind the appropriate party affiliation or independent status shall be 
printed on the ballot card or at the top of the paper ballot and on the ballot 
pages.” 

The ballot cards used by the Express Vote XL are made of solid white thermal paper. The 
card stock is not colored for each party. The ballot cards are blank and do not have the 
appropriate party affiliation or independent status printed on the ballot card. 

In primary elections, the party affiliation of a voter is determined definitively when the 
voter checks in, signs the poll book, and is given a ballot card. Before the voter may vote, 
a poll worker must configure the Express Vote XL to display the ballot style of the voter’s 
parly. If ballot cards are not on colored card stock with the party affiliation, the voter can 
tell the poll worker a different party affiliation, cast fraudulent votes in another party’s 
election, and the impounded ballot card would show no evidence of the fraud. Colored 
card stock with the party affiliation printed also reduces the chance that a poll worker will 
set the wrong ballot style for a voter by accident. 

It should be demonstrated that the required ballot cards are possible and that the 
ExpressVote XL is capable of using them. 


Testimony before the U.S. Senate Committee on Rules and Administration, July 25, 2007, 
http://euro.ecom.cmu.edu/people/faculty/mshamos/Senate20070725.pdf 
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4. Serially Numbered Perforated Stubs 

The ExpressVote XL violates § 1109-A, 25 P.S. § 3031.9 (f): 

.Each ballot card shall have an attached serially numbered perforated 
stub, which shall be removed by an election officer before the ballot card is 
deposited in the district automatic tabulating equipment or in a secure ballot 
box. The name of the county, and a facsimile of the signature of the 
members of the county board shall be printed on the ballot card stub.” 

The ExpressVote XL violates § 1112-A, 25 P.S. § 3031.12 (b)(6), which requires a 
procedure for a district using paper ballots or ballot cards: 

“Following the completion of his vote, the voter shall leave the voting 
booth and return the ballot to the election officer by a means designed to 
insure its secrecy; upon removal of the stub of the ballot by the election 
officer, the voter shall insert the ballot into the district automatic tabulating 
equipment or, in the event district tabulation is not provided for by the 
voting system or such district tabulation equipment is inoperative for any 
reason, into a secure ballot box. No ballot card from which the stub has 
been detached shall be accepted by the election officer in charge of such 
equipment or ballot box, but it shall be marked “spoiled” and shall be 
placed in the envelope marked “Spoiled Ballots”.” 

In addition, § 1113-A, 25 P.S. § 3031.13 (a) requires that, after the polls have been 
closed, the serially numbered stubs be used as evidence of the number of ballots issued to 
electors so that number may be announced in the polling place and recorded. 

The ballot cards used by the ExpressVote XL do not have attached serially numbered 
perforated stubs. The ballot cards are blank and do not have a facsimile of the signature 
of the members of the county board printed on the ballot card stub. 

The ExpressVote XL is designed such that a voter does not handle the ballot after the 
completion of her vote. The voter cannot leave the voting booth with the ballot card to 
return it to an election officer. The election officer does not have an opportunity to 
remove the stub. The election officer is not able to verify that the stub has not been 
detached from the ballot card in order to mark it as spoiled. 
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Without serially numbered stubs and signatures, any person could forge ballot cards. 
Forged ballot cards can be submitted for tabulation secretly and independently because, 
unlike most district tabulating equipment, the Express Vote XL tabulator is inside a 
privacy curtain, where election workers cannot observe voter activity. 

Serially numbered stubs prevent “chain voting.” Professor Doug Jones describes the 
fraud technique and the defense against it: “The organizer of the chain needs one valid 
ballot to begin with. He then marks this ballot and gives it to a voter willing to participate 
in the fraud. With each participant, the organizer instructs the participant to vote the pre¬ 
voted ballot and bring back a blank ballot from the polling place. Voters are paid for the 
blank ballot. The best defense against chain voting involves printing a unique serial 
number on a removable stub on each ballot. When ballots are issued to voters, the stub 
numbers should be recorded. No ballot should be accepted for deposit in the ballot box 
unless its stub number matches a recently issued number. Finally, to preserve the voter’s 
right to a secret ballot, the stub should be tom from the ballot before it is inserted in the 
ballot box.”5 

It should be demonstrated that the required ballot cards are possible and that the 
Express Vote XL is capable of using them.^ 


5. Valid Marks on a Ballot Card 

The ExpressVote XL violates § 1112-A, 25 P.S. § 3031.12 (b)(2-4), which applies to 
districts using paper ballots or ballot cards. 

The three procedures in § 3031.12 (b)(2-4) each specify that a voter shall vote on a ballot 
card by “making a cross (X) or check (■/) mark or by making a punch or mark sense 
mark in the square opposite the name” of the candidate, the party, the write-in position, or 
the answer to a ballot question. The type of mark and its position relative to the name is 
specified six times in total. 

The ExpressVote XL does not make a cross or check mark or make a punch or mark 
sense mark, nor does it permit a voter to do so. On an ExpressVote ballot card there is no 


® “On Optical Mark-Sense Scanning,” Douglas W. Jones, in Towards Trustworthy Elections, 2010, Page 
178, available at http://homepage.cs.uiowa.edu/~jones/voting/OpticaLMarkSenseScanning.pdf 

^ Upon information and belief, the ExpressVote XL could be made to use compliant ballot cards, as ES&S 
apparently offered serially numbered cards in Michigan. However, the machines certified and used in 
Pennsylvania do not use compliant ballot cards. 
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square opposite the name in which to place any mark. Instead a barcode is printed near 
the top of the ballot card, separate and far from the name. The barcodes are not even 
listed in the same order as the names are listed. 

The type of mark and its position relative to the name is an important requirement. A 
valid mark next to a corresponding name allows the voter to verify that each vote 
matches her intent prior to casting the ballot card, ensuring the principle of “cast as 
intended.” A valid mark next to a corresponding name allows election officials or any 
person to easily observe, count, and audit the vote, without software or special 
equipment. The Election Code intends for the meaning of each vote to be transparent and 
software independent. 


6. Indicated Voting Positions on Ballot Cards 

The ExpressVote XL violates § 1109-A, 25 P.S. § 3031.9 (a)(2). 

“The pages placed on the voting device shall be of sufficient number to 
include, following the listing of particular candidates, the names of 
candidates for any nonpartisan offices and any measures for which a voter 
may be qualified to vote on a given election day, provided further that for 
municipal, general or special elections, the first ballot page shall list in the 
order that such political parties are entitled to priority on the ballot, the 
names of such political parties with designating arrows so as to indicate the 
voting square or position on the ballot card where the voter may insert 
by one mark or punch the straight party ticket of his choice.” (Emphasis 
added). 

The ExpressVote XL violates § 1109-A, 25 P.S. § 3031.9 (d). 

“In partisan elections the ballot cards shall include a voting square or 
position whereby the voter may by one punch or mark record a straight 
party ticket vote for all the candidates of one party or may vote a split ticket 
for the candidates of his choice.” (Emphasis added). 

The ExpressVote XL lists political parties on the touchscreen. If a voter makes a straight 
party choice, the ExpressVote XL will later record the selection by printing a barcode and 
human-readable text on the ballot card. This process does not meet the requirements. 
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An electronic voting machine is required to list the political parties with arrows to 
indicate positions on the ballot card. The Express Vote XL does not indicate voting 
positions on the ballot card, nor does it use any “designating arrows.” In fact, there are no 
fixed positions on the ballot card—the location of the barcode and human-readable text 
will vary depending on the voter’s other selections. 


7. Unlawful Assistance in Voting 

The Express Vote XL would require voters to violate § 1218, 25 P.S. § 3058 (a): 

“No voter shall be permitted to receive any assistance in voting at any 
primary or election, unless there is recorded upon his registration card his 
declaration that, by reason of blindness, disability, or inability to read or 
write, he is unable to read the names on the ballot or on the voting machine 
labels, or that he has a physical disability which renders him unable to see 
or mark the ballot or operate the voting machine, or to enter the voting 
compartment or voting machine booth without assistance, the exact nature 
of such condition being recorded on such registration card, and unless the 
election officers are satisfied that he still suffers from the same condition.” 

The Express Vote XL would require election officers to violate § 1111-A, 25 P.S. § 

3031.11 (b): 

“At the polling place on the day of the election, each voter who desires 
shall be instructed, by means of appropriate diagrams and a model, in the 
operation of the voting device before he enters the voting booth. If any 
voter shall ask for further instructions concerning the manner of voting 
after entering the voting booth, any election officer may give him audible 
instructions without entering such booth, but no such election officer 
shall when giving such instructions in any manner request, suggest or seek 
to persuade or induce any such voter to vote any particular ticket or for any 
particular candidate or other person or for or against any particular 
question.” (Emphasis added). 

The Express Vote XL would require voters and election officers to violate § 1220, 25 P.S. 

§ 3060 (a): 
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No elector shall be allowed to occupy a voting compartment or voting 
machine booth already occupied by another, except when giving assistance 
as permitted by this act.” 

When any voter using the Express Vote XL wants to spoil her ballot card or wants to 
handle the ballot card for physical review, they must select an option in the interface to 
“Quit.” The Express Vote XL displays on screen (and reads into the audio ballot) the 
message: “Vote Session Canceled. Your ballot was canceled with no votes cast. Ask an 
election official for help.” The Express Vote XL emits a chiming sound to alert a poll 
worker. A poll worker must enter the voting booth, touch a designated location on the 
screen, enter an administrator password using an on-screen keypad, and retrieve the ballot 
card from the windowed container where it is held. 

All voters have the right to spoil their ballot card. (§ 1112-A, 25 P.S. § 3031.12 (b)(5): 
“Any voter who spoils his ballot may return it and secure another.”) A voting system is 
required to allow voters to spoil their ballot card. (§ 1107-A, 25 P.S. § 3031.7 (10): “If it 
is of a type that uses paper ballots or ballot cards to register the vote and automatic 
tabulating equipment to compute such votes, the system shall provide that a voter who 
spoils his ballot may obtain another ballot”.) The Express Vote XL does not allow a voter 
to spoil her ballot card without a poll worker entering the booth in violation of the above 
requirements. 

Voters with disabilities may wish to handle the ballot card to verify it using a magnifier or 
other personal assistive device. This is only possible with poll worker assistance and is 
only permitted if the voter has previously recorded their disability on their voter 
registration. Voters who have recorded a disability may “select a person” to enter the 
voting booth (§ 1218, 25 P.S. § 3058 (b)). This person could be a poll worker, but if 
another person has already been selected to assist, a poll worker entering the booth would 
violate the above requirements. 

This deficiency has consequences for both the voter and the poll worker. § 1830,25 P.S. § 
3530 (“Unlawful assistance in voting”) specifies that any voter “who, without having 
made the declaration under oath or affirmation required by section 1218 of this act... 
shall permit another to accompany him into the voting compartment or voting machine 
booth” or “any person who shall go into the voting compartment or voting machine booth 
with another while voting or be present therein while another is voting” is guilty of a 
misdemeanor and will be sentenced to pay a fine, imprisonment, or both. 
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8. Poll Workers in the Booth and Ballot Secrecy 

The Express Vote XL violates § 1107-A, 25 P.S. § 3031.7 (1), which requires that a voting 
system; 


“Provides for voting in absolute secrecy and prevents any person from 
seeing or knowing for whom any voter, except one who has received or is 
receiving assistance as prescribed by law, has voted or is voting.” 

The Express Vote XL violates the Help America Vote Act of 2002 (HAVA), § 301(a)(1)(A) 
(ii), which requires that a voting system shall: 

“provide the voter with the opportunity (in a private and independent 
manner) to change the ballot or correct any error before the ballot is cast 
and counted (including the opportunity to correct the error through the 
issuance of a replacement ballot if the voter was otherwise unable to change 
the ballot or correct any error)” 

The previously described procedure for spoiling a ballot card on the Express Vote XL 
allows the poll worker, upon entering the voting booth, to view the selections on the 
ballot card through the windowed container and while handling the ballot card. The poll 
worker will look directly at the ballot card while extracting it from the container. The poll 
worker can see and know for whom the voter has voted or is voting. The ExpressVote XL 
does not allow any voter to privately and independently correct an error through the 
issuance of a replacement ballot. 

It is also noteworthy that this procedure reveals an administrator password to the voter. 
The poll worker enters the password in front of the voter using an on-screen keypad and 
each character is displayed in the input field as it is typed. During public demonstrations 
of the ExpressVote XL, several members of the public reported easily observing the 
administrator password used. 


9. Accessibility 

The ExpressVote XL violates § 1107-A, 25 P.S. § 3031.7(5), which requires that a voting 
system: 

“Permits each voter to vote for any person and any office for whom and for 
which he is lawfully entitled to vote, whether or not the name of such 
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person appears upon the ballot as a candidate for nomination or 
election.” (Emphasis added). 

The Express Vote XL violates § 1107-A, 25 P.S. § 3031.7(3), which requires that a voting 
system: 


“Permits each voter.. .to vote a straight political party ticket.. .by one mark 
or act, to vote for all the candidates of one political party for every office to 
be voted for, and every such mark or act shall be equivalent to and shall be 
counted as a vote for every candidate of the political party so marked 
including its candidates for presidential electors, except with respect to 
those offices as to which the voter has registered a vote for individual 
candidates of the same or another political party or political body, in which 
case the automatic tabulating equipment shall credit the vote for that office 
only for the candidate individually so selected, notwithstanding the fact that 
the voter may not have individually voted for the full number of candidates 
for that office for which he was entitled to vote.” (Emphasis added). 

The Express Vote XL violates the Help America Vote Act of 2002 (HAVA), § 301(a), 

which requires that a voting system shall: 

l.A.i: “permit the voter to verify (in a private and independent manner) the 
votes selected by the voter on the ballot before the ballot is cast and 
counted.” 

l.A.ii: “provide the voter with the opportunity (in a private and independent 
manner) to change the ballot or correct any error before the ballot is cast 
and counted (including the opportunity to correct the error through the 
issuance of a replacement ballot if the voter was otherwise unable to change 
the ballot or correct any error).” 

3. A: “be accessible for individuals with disabilities, including nonvisual 
accessibility for the blind and visually impaired, in a manner that provides 
the same opportunity for access and participation (including privacy and 
independence) as for other voters.” 

To the extent that any HAVA Section 261 funds are involved, use of the ExpressVote XL 

also violates HAVA § 261 (b): 
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An eligible State and eligible unit of local government shall use the 
payment received under this part for— (1) making polling places .., 
accessible to individuals with disabilities, including the blind and visually 
impaired, in a manner that provides the same opportunity for access and 
participation (including privacy and independence) as for other voters. 


The Pennsylvania Certification of ES&S EVS 6.0.2.1 included an accessibility testing 
report on pages 68-94. The Express Vote XL was harshly reviewed by the accessibility 
test group. 

“Every participant had at least one problem, despite relatively high election knowledge 
and digital experience, suggesting that the issue would be more severe for voters without 
these personal resources to help them understand what is happening.” (Page 70) 

“None of the participants could verify the ballot in the glass cage: 

• Blind voters had no access to the ballot to use personal technology 

• Low vision voters could not position the ballot so they could read the small text 

• Other voters had problems reading the ballot because of glare and because the sides of 
the ballot were obscured by the cage. 

• Although it is possible to have the ballot ejected to handle it while verifying, the 
procedure is unclear and it requires voters to tell the system they want to “Quit” and call 
a poll worker.” (Page 74) 

Participants in the accessibility study found the Express Vote XL made it diffieult to cast 
write-in votes. For a vote for a write-in candidate to count, spelling must be perfect and 
“[a]ll of the participants knew that a misspelled write-in would not be counted, but could 
not figure out how to review what was typed.” (Pages 70-71, 86-87). Furthermore, the 
Express Vote XL did not allow participants to review any write-in votes through the audio 
ballot because the text of the write-in is not encoded in the barcodes printed on the ballot 
card. (Pages 73, 75, 88). 

Voters relying on the audio ballot had significant issues with voting a “straight- 
party” ticket. If a voter selects a single candidate outside the straight-party ticket, 
the Express Vote XL deselects all other candidates, without informing the audio- 
guided voter. The accessibility testing report describes this problem as “not only a 
failure to vote independently, but identifying and solving the problem requires 
revealing their votes to a poll worker or assistant.” (Pages 68-69). The audio ballot 
also “does not announce the party of each candidate. This made it impossible to 
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complete tasks based on party, including confirming straight party 
selections.” (Pages 83, 86). 

The Pennsylvania Department of State’s accessibility testing report makes it clear that the 
Express Vote XL is not accessible for individuals with disabilities “in a manner that 
provides the same opportunity for access and participation (including privacy and 
independence) as for other voters.” Most importantly for these voters, it does not “permit 
the voter to verify (in a private and independent manner) the votes selected by the voter 
on the ballot before the ballot is cast and counted.” 


lO.ThCiS'/e/w Settlement 

The Express Vote XL violates the settlement in Stein v. Cortes-J 

“2. The Secretary will only certify new voting systems for use in 
Pennsylvania if they meet these criteria: 

a. The ballot on which each vote is recorded is paper; 

b. They produce a voter-verifiable record of each vote; and 

c. They are capable of supporting a robust pre-certification auditing 
process. 

3. The Secretary will continue to direct each county in Pennsylvania to 
implement these voting systems by the 2020 primaries, so that every 
Pennsylvania voter in 2020 uses a voter-verifiable paper ballot.” 

The ExpressVote XL does not provide the voter a paper ballot, as that term is defined by 
25 P.S. § 3031.1. Instead, it provides a “ballot card.” A paper ballot is a piece of paper 
with the options pre-printed, whereas a ballot card only prints a voter’s selection on blank 
piece of paper. See id. (defining paper ballot as “a printed paper ballot which conforms in 
layout and format to the voting device in use” and ballot card as “a card which is 
compatible with automatic tabulating equipment and on which votes may be registered”). 

Because the ExpressVote XL does not provide a paper ballot, Pennsylvania voters in 
counties using the ExpressVote XL will not receive a voter-verifiable paper ballot in 
2020, in contravention of the Stein settlement’s requirement that the Secretary “direct 
each county in Pennsylvania to implement these voting systems by the 2020 primaries, so 
that every Pennsylvania voter in 2020 uses a voter-verifiable paper ballot.” 


^ Stein V. Cortes, No. 16-CV-06287, ECF No. 108 (E.D. Pa. Nov. 28,2018), available at http://bit.lv/ 
SteinSettlement . 
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